Feds declare big win over Cryptolocker ransomware

Gregg Keizer |
July 16, 2014

A status update filed in Pennsylvania by the U.S. Department of Justice said that both the Gameover Zeus botnet and Cryptolocker 'remained neutralized.'

Even as security researchers reported that the hacker gang responsible for the Gameover Zeus botnet have begun distributing new malware, U.S. government officials last week claimed victory over the original and said that the Cryptolocker ransomware it had been pushing has been knocked out.

On Friday, July 11, the Department of Justice (DOJ) filed a status update with a Pennsylvania federal court, telling the judge that both the Gameover Zeus botnet and Cryptolocker "remained neutralized."

"Analysis to date indicates that all or nearly all of the active computers in the [Gameover Zeus] network are communicating exclusively with the substitute server established pursuant to this Court's Orders," the document stated.

In early June, the DOJ, along with law enforcement agencies in several other countries, grabbed control of the Gameover Zeus botnet, and filed both criminal and civil charges against the alleged administrator of the botnet, Evgeniy Bogachev, a Russian national who remains at large.

Cryptolocker, a type of "ransomware" — the term for extortion malware that encrypts files and then tries to convince users to pay to decrypt them so they can again be opened — was distributed exclusively by Gameover Zeus.

The disruption of the original Gameover Zeus, and cleanup efforts by various countries' computer security response teams, or CIRTs, and Internet service provides (ISPs), have reduced the number of infected PCs by more than 31%, the DOJ said in the Friday report. More than 137,000 machines remain infected, however.

"Government testing of Cryptolocker malware samples has confirmed that Cryptolocker is no longer able to encrypt newly infected computers and, as a result, is not currently a threat," the prosecutors added. "Cryptolocker must communicate with its command and control infrastructure in order to encrypt newly infected computers. As of today, the injunctive relief ordered ... knocked all of Cryptolocker's infrastructure offline, and has thereby neutralized Cryptolocker."

Court orders last month allowed authorities to seize the servers that issued commands to Gameover Zeus and Cryptolocker, and to redirect infected PCs' requests for instructions to government-controlled servers instead.

The hackers, no longer able to access their command-and-control servers once authorities seized the systems last month, have created an alternate that relies on a more centralized infrastructure, said SecureWorks.